Upload
sina-manavi
View
232
Download
1
Embed Size (px)
Citation preview
8/3/2019 what is honeypot
1/24
Honeypot &Honeynet
Sina Manavi
8/3/2019 what is honeypot
2/24
Content
What is Honeypot
What is Honeynet
Advantages and Disadvantages of
Honeypot/net
8/3/2019 what is honeypot
3/24
Definition of Honeypot:
A Honeypot is an information system resource
whose value lies in unauthorized or illicit use
of that resource.
- Lance Spitzner
8/3/2019 what is honeypot
4/24
Honeypots value:
Preventionprevent automated attacks:(Warms and auto-rooters)
Detectionidentify a failure or breakdown in prevention
Response
8/3/2019 what is honeypot
5/24
How Honeypot works:
HoneyPot A
Gateway
Attackers
Attack Data
Prevent
Detect
Response No connection
8/3/2019 what is honeypot
6/24
Architecture
8/3/2019 what is honeypot
7/24
Honeypot can be placed:
In front of the firewall (Internet)
DMZ (DeMilitarized Zone)
Behind the firewall (intranet)
8/3/2019 what is honeypot
8/24
By Implementation Virtual
Physical
By purpose Production
Research
By level of interaction High
Low
Middle?
Honeypot Classification:
8/3/2019 what is honeypot
9/24
Implementation of Honeypot
Physical Real machines
Own IP Addresses
Often high-interactive
Virtual Simulated by other machines that:
Respond to the traffic sent to the honeypots
May simulate a lot of (different) virtual honeypots at the same
time
8/3/2019 what is honeypot
10/24
Physical Honeypot vs. Virtual Honeypot
PH (Real machines, NICs, typically high-interaction) High maintenance cost.
Impractical for large address spaces.
VH (Simulated by other machines) Multiple virtual services and VMs on one machine.
Typically it only simulate network level interactions, but
still able to capture intrusion attempts.
8/3/2019 what is honeypot
11/24
Research Complex to deploy and maintain.
Captures extensive information.
Run by a volunteer(non-profit).
Used to research the threats organization face.
Production Easy to use
Capture only limited information
Used by companies or corporations
Mitigates risks in organization
Propose of Honeypot:
8/3/2019 what is honeypot
12/24
Interaction Level:
Low Interaction
High Interaction
Note: Interaction measures the amount of activity an attacker
can have with a honeypot.
8/3/2019 what is honeypot
13/24
Low Interaction vs. High InteractionLow-Interaction High-Interaction
Installation Easy More difficult
Maintenance Easy Time consuming
Risk Low High
Need Control No Yes
Data gathering Limited Extensive
Interaction Emulated services Full control
8/3/2019 what is honeypot
14/24
Example of Honeypots:
Symantec Decoy Server (ManTrap)Symantec Decoy Server (ManTrap)
Honeynets
Nepenthes
Honeyd (Vitrual honeypot)
KFSensor
BackOfficer Friendly
High Interaction
Low Interaction
8/3/2019 what is honeypot
15/24
Honeynet History:
Informally began in April 1999
The Honeynet Project officially formed in
June 2000 Became a non-profit corporation in
September 2001.
Is made up of thirty Volunteer securityprofessionals
8/3/2019 what is honeypot
16/24
What is a Honeynet?
Actual network of computers
High-interaction honeypot
Its an architecture, not a product Provides real systems, applications, andProvides real systems, applications, and
services for attackers to interact with.services for attackers to interact with.
Any traffic entering or leaving is suspect.
8/3/2019 what is honeypot
17/24
How the Honeynet works?
Monitoring, capturing, and analyzing all the
packets entering or leaving through networks.
All the traffic is entering or leaving through
the Honeynet is naturally suspect.
8/3/2019 what is honeypot
18/24
Honeynet Evolution
1997, DTK (Deception Toolkit)
1999, a single sacricial computer,
2000, Generation I Honeynet,
2003, Generation II Honeynet,
2003, Honeyd software
2004, Distributed Honeynets, Malware Collector...
2009, Dionaea (multi stage payloads, SIP,...) Kojoney,
Kippo
8/3/2019 what is honeypot
19/24
Architecture Requirements:Architecture Requirements:
Data ControlData Control
Data CaptureData Capture
8/3/2019 what is honeypot
20/24
Data Control of the Honeynet
Internet
No Restrictions
No Restrictions
Honeypot
Honeypot
Internet
Honeywall
Honeypot
Honeypot
No Restrictions
Connections Limited Packet Scrubbed
8/3/2019 what is honeypot
21/24
Honeynet Generations:
Gen I: Simple Methodology, Limited Capability
Highly effective at detecting automated attacks
Use Reverse Firewall for Data Control
Can be fingerprinted by a skilled hacker Runs at OSI Layer 3
Gen II: More Complex to Deploy and Maintain
Examine Outbound Data and make determination to block, pass,
or modify data
Runs at OSI Layer 2
8/3/2019 what is honeypot
22/24
Advantages and Disadvantages of Honeynet/pots
Advantages :
Honeypots are focused (small data sets)
Honeypots help to reduce false positive
Honeypots help to catch unknown attacks (false negative)
Honeypots can capture encrypted activity (cf. Sebek)Honeypots work with IPv6
Honeypots are very flexible (advantage/disadvantage?)
Honeypots require minimal resources
Disadvantages :
Honeypots field of view limited (focused)
Risk,
8/3/2019 what is honeypot
23/24
Q&A
8/3/2019 what is honeypot
24/24
Thank you
1/12/2011